Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Easy Vpn PIX to 1700 router

Hi,

I’m having trouble with RRI into VRF.

I get the reverse route in the global routing table but not in the VRF table.

The remote pix are using dhcp on the outside int.

Both the isakmp and the ipsec comes upp.

My config are:

version 12.2

!

hostname VPNTERM-GOOH_test

!

logging queue-limit 100

logging buffered 20000 debugging

no logging console

enable secret xxxx

!

username GOOHARN password xxx

memory-size iomem 25

aaa new-model

!

!

aaa authentication login default local

aaa authentication login goohauthen local

aaa authorization network goohauthor local

aaa session-id common

ip subnet-zero

!

!

ip vrf name

rd 200:200

route-target export 200:200

route-target import 200:200

!

ip cef

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group GOOHARN

key

dns x.x.x.x

wins x.x.x.

domain gooh.lan

pool POOL-GOOHARN

!

crypto isakmp client configuration group goohclients

key

dns z.z.z.z

wins z.z.z.z

domain gooh.lan

pool ippool-gooh

!

!

crypto ipsec transform-set GoohArnset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set GoohArnset

reverse-route remote-peer

!

!

crypto map Goohmap client authentication list gooharnauthen

crypto map Goohmap isakmp authorization list gooharnauthor

crypto map Goohmap client configuration address respond

crypto map Goohmap 10 ipsec-isakmp dynamic dynmap

!

crypto map gooh-map client authentication list goohauthen

crypto map gooh-map isakmp authorization list goohauthor

crypto map gooh-map client configuration address respond

!

!

interface BRI0

no ip address

shutdown

!

interface FastEthernet0

ip address x.x.x.x x.x.x.x

speed 100

full-duplex

no cdp enable

crypto map Goohmap

!

interface FastEthernet1

no ip address

no cdp enable

!

interface FastEthernet2

no ip address

shutdown

!

interface FastEthernet3

no ip address

shutdown

!

interface FastEthernet4

no ip address

shutdown

!

interface Vlan1

ip vrf forwarding Lantmannen

ip address y.y.y.y y.y.y.y

!

ip local pool POOL-GOOHARNx.x.x.x x.x.x.x

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.x

ip route vrf Lantmannen 0.0.0.0 0.0.0.0 y.y.y.y

no ip http server

no ip http secure-server

  • Other Security Subjects
2 REPLIES
Cisco Employee

Re: Easy Vpn PIX to 1700 router

You haven't mapped the crypto map into a VRF at all, that's why the routes are appearing in the global routing table. It's not enough to simply define a VRF on th erouter, you have to tell it that a specific crypto config is in that VRF.

You need to follow the config guide here:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ft_vrfip.htm

At the very least you need to define an ISAKMP Profile and put that in a VRF, then under your crypto map assign it to the correct ISAKMP profile.

New Member

Re: Easy Vpn PIX to 1700 router

Hi,

Thanks for your reply.

The problems I have are that I can’t create a profile because the PIX is using EASY VPN to connect.

I’ve tried to configure it in the dynamic map but the only command there is “reverse-route remote-peer “ nothing to inject it into the VRF.

108
Views
0
Helpful
2
Replies
This widget could not be displayed.